‘Cancel or allow’ overload

“A hybrid solution that takes the best parts of iOS’s one-by-one acceptance and Android’s expressed and obvious intents seems like a proper model here. In fact, Apple has many of the pieces in place elsewhere.” This is a big issue. Nor Android’s model (just list a bunch of confusing permissions), nor Apple’s model (individual modal dialogs for each permission) is particularly workable – I doubt regular users check them on Android before installing an application, and in the case of iOS, Apple didn’t think it was necessary to secure the address book, so every application has access to it without alerting users. Justin Williams proposes a hybrid solution.

About The Author

17 Comments

I was using the Woolworths application, and a particular update (accidentally) required ALL the permissions. Some of these were fairly scary sounding — making phone calls, looking at account data. I also needed to do the update manually, because the permissions had *changed*.

Not only did I notice it, but so did a lot of others. A lot of their reviews went to 1 star with a lot of swearing about the permissions. Woolworths needed to clarify that this was a programming error and everything would be fixed shortly.

I will also check permissions of any app I install. If the app requires permissions to somethings that I feel are unnecessary, and then I won’t install it. Judging by reviews, plenty of others feel the same way.

I will also check permissions of any app I install. If the app requires permissions to somethings that I feel are unnecessary, and then I won’t install it. Judging by reviews, plenty of others feel the same way.

Me too, especially when an already installed app wants to change permissions… I look that over very carefully. For all I know, their servers may have gotten hacked and somebody pushed out a malicious version of the app.

I will also check permissions of any app I install. If the app requires permissions to somethings that I feel are unnecessary, and then I won’t install it. Judging by reviews, plenty of others feel the same way.

Me too, especially when an already installed app wants to change permissions… I look that over very carefully. For all I know, their servers may have gotten hacked and somebody pushed out a malicious version of the app.

I check the permissions of every single app I install on my Transformer, and in some ways it’s taken a little bit of the shine off the tablet experience for me. It’s astounding how many apps – put out by companies that most would consider “reputable” – have permissions that, really, they shouldn’t need.

For example, I haven’t upgraded my Netflix app (and I might even just uninstall it) because the updated permissions allow it to read the system logs… why the hell does Netflix need to know what goes on deep in the bowels of my tablet?!

Part of what bugs me is that there’s never any justification given whatsoever. Sure, some permissions I can figure out the developers need it for, but there are also plenty of times I’m scratching my head as to why they need something so unrelated or low-level. But there’s nowhere I can go to find out where that decision came from (short of contacting the devs, I suppose).

Part of what bugs me is that there’s never any justification given whatsoever. Sure, some permissions I can figure out the developers need it for, but there are also plenty of times I’m scratching my head as to why they need something so unrelated or low-level. But there’s nowhere I can go to find out where that decision came from (short of contacting the devs, I suppose).

I’ve actually done that before. When I installed the Slacker radio app and saw that it wanted permission to access my contacts, I went to their forums and asked why. I forget what they said, something about sharing a song with friends or some such. But it sounded legit to me, so I went ahead and let it through.

The querstion is though, why is this permission *required*? Maybe I dont want to share songs with my friends.

A properly designed application should degrade gracefully to running with less features with less permissions if the feature isn’t absolutely necessary.

There are 3rd party firewall apps that let you deny specific permissions to any app, but I’m not sure there’s a way for an application developer to make permissions optional in Android when you install the app. So, this seems like a limitation of the OS.

In addition to making these optional, I’d like to see a small description field by each permission, where the developer can tell you at install time why a specific permission is needed. Of course, they could always lie, but at least they’d have to come up with something that sounded legit.

To be honest, I’m afraid that only computer geeks take computer security seriously.

A significant part of desktop and laptop users in this world still run a cracked XP as administrator, with automatic updates disabled and IE 6 as their main web browser, and only hardware breakage will possibly make them switch to something else.

Then, on a more “professional” level, we can also think of all these ATMs running NT4 or OS/2, and sticking with the factory-provided PIN code for access to service functions…

Sad truth is, computer security only works on a large scale if you throw it on the newbie’s face. The difficult part is to find a way to do so without harming the user experience too much, so that security warnings don’t become yet another annoyance that people skim through without reading. UAC-like repetitive Cancel/Allow dialogs are a typical example of failure at this task.

The difficult part is to find a way to do so without harming the user experience too much, so that security warnings don’t become yet another annoyance that people skim through without reading. UAC-like repetitive Cancel/Allow dialogs are a typical example of failure at this task.

I agree with you on this point; desensitization to security by things like overactive security prompting is a serious concern. But so is the attitude by many users of alternative platforms such as Mac OS who proclaim that they’re perfectly safe because “Macs don’t get viruses”.

I’m including platforms like Linux and FreeBSD in that statement as well – and I say that as a Linux user. While I do recognize that there is a reduced risk of malware, I always respect that there are perfectly adequate conditions for them to exist. I even treat the age-old advice to “stick with repositories and you’re perfectly safe” as a half-truth; those repositories have the potential to be compromised if someone has enough knowledge and determination.

Security by scarcity only works as long as it’s felt that the effort expended to create something sinister is more than the potential gain. It’s difficult to pinpoint that threshold, and with growing popularity the risk increases every day.

To be honest, I’m afraid that only computer geeks take computer security seriously.

Too true. Too many people simply rely that “Norton will protect me”, “Microsoft will protect me”, “Apple will protect me”, “Google will protect me”, etc. And while I understand that nobody can get anything accomplished if they don’t at least rely on trusting others, there’s a big difference between giving a large corporate entity 100% of your trust or 99% of your trust.

Yes, disinformation campaigns of the kind “xxx is based on UNIX, so it is invincible” certainly do more harm than good.

After all, scanf() is historically a function of the standard UNIX library, and most Unices used MD5 for password hashing purposes before its vulnerabilities became widely known. Meanwhile, on the Windows side, Microsoft got some nice stuff out of the door in the Vista days (DEP, ASLR, IE sandboxing…), even though they still have lots of past mistakes to correct, some of which they might not want to deal with (such as the excessive use of Trident all over the most critical UI elements).

In the end, I believe that what makes current desktop *nix boxes more secure is only a combination of small market share and higher user education. Give Macs and Linux boxes a larger market share and less computer-literate users, and I bet that in a few years the platform will be an absolute security nightmare. Centralized repositories like the Mac App Store won’t help, because their operation requires trusting so much manpower that they will be an easy target for a determined attacker. At worst, they may even serve as a privileged channel to steal credit card information and create massive botnet networks through fake application updates, due to their overreaching nature.

In my opinion, the secure OS of tomorrow must not rely solely on centralized vetting and will also implement strong security checks at the client level. In addition, OS developers will have to cooperate better with developers to reduce the minimal amount of security permissions which an average application requires, so that it is safe to display no warning to the user when installing an harmless soft (video game, office suite, media player…).

This way, security warnings would have much more impact, striking users as something out of the ordinary and highly suspicious. For knowlegeable users who actually want to install something dangerous (drivers, etc…), said security warnings could also be more informative, clearly stating which permissions are required and what is their effect (kind of like what Android does). This would allow one to quickly check that a given piece of software is not allowed to do more than it’s supposed to.

Security only works when you pay attention to it everyday. Yes it hurts, but only that way you can be sure to be safe.

Fact is, any operating system is insecure if you do not take care of it.

Windows can be made as secure as any Unix, and Unix can be as insecure as Windows is usually made to believe.

There are Linux users running as root because sudo is as annoying as UAC (their words not mine).

Plus if you don’t run the applications inside a sandbox like SELinux, AppArmor, Mac OS-X Sandboxes, HP-UX Virtual Partitions, among others, an application can always be owned and destroy/use all the $HOME contents.

I usually look at the permissions (more often than not). Recently I installed a live wallpaper that had far too many permissions for what it did. It read shortcuts, created shortcuts, looked at contacts, etc. I removed it shortly thereafter and deleted the one shortcut it did create. I then rated it 1 star for requiring too much permission though I did praise the artwork/animation. Hey at least I’ll be fair!

Too bad the author doesn’t allow commenting; I wanted to congratulate him on a good article. I love Android’s up-front permissions question, but I think that it’d be really handy to turn permissions on and off as needed — sometimes I’d really love to use an app but it wants to be a bit more free with my data than I’d like, and why couldn’t I just turn off certain features?

I’m dreaming up a web app that may or may not allow third-party plugins, and this would be an ideal permission system to use.